On Wed, Aug 18, 2010 at 5:20 AM, Mark F <[email protected]> wrote: > Hi All, > > I'm trying to find out if ossec can be used for my needs. Certain standards > that need to be adhered to mean using great software like ossec for log > parsing is a must. > > However the biggest thing is that I cannot have logs missed and go > un-noticed, therefore my plan is to send all logs to a central rsyslog host > and have rsyslog outputting to text files (because ossec can't read direct > from a database?) but also to a database (to use something like LogAnaliser > or Logzilla). > > The major thing here is really that the logging mechanism cannot miss > anything, so if a log entry isn't known to ossec currently I understand it > basically won't be alerted on because it won't match a rule or decoder, this > just isn't good enough to be able to meet standards I want to set. Therefore > i'd like to know if its possible to catch all if no decoder is matched and > alert to the logs that don't match a decoder... but the same goes for rules > in a respective decoder level and if the rules aren't matched for that > decoder again an alert is to be sent so that the admin can look at the log > message and then make corrective changes to stop the log message being > alerted or to create an appropriate rule. > > Thanks All >
Someone else on the list is experimenting with a catch-all rule. I don't know if it's working or not. There's nothing currently in the system to do this though. You could go with something like logwatch to summarize logs. Then look through the **Unmatched Entries** section and add those to logwatch so you don't see them again. Also check to make sure ossec identifies them. With a bit of scripting and ossec-logtest you could probably come up with a way to find out what isn't being identified properly. Pipe your logs through ossec-logtest and parse the output to see what is identified and what isn't. You can also use the output to write rules to identify these things. Other than that, posting something on http://ossec.uservoice.com/ about a "catch-all" type of option might be worth while. I don't think it's a setting I'd like to see as default, but it wouldn't be a bad option.
